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Abstract 

Enterprise Resource Planning (ERP) is the technology which 
provides the unified business junction to the organization by 
integrating the core processes. ERP is experiencing the 
transformation which will make it highly integrated, more 
intelligent, more collaborative, web-enabled and even wireless. 
ERP systems have to be secure. Many ERP vendors are 
integrating security into their products. While these security 
solutions may work for a closed environment, we need new 
approaches for an open environment. This paper introduces 
ERP technology from its evolution through architecture to its 
products. The security solutions as well as directions for secure 
ERP systems are also presented. 

Keywords: Enterprise Resource Planning, Exchange 
Infrastructure, RBAC, Authorization, Security Policies, Web 
Services, SO A, 

1. Introduction 

Enterprise Resource Planning, an approach for the business 
integration, has been widely deployed in various kinds of 
organizations since it was defined by Gartner Group in the 
1990s as the next generation of Manufacturing Business System 
and Manufacturing Resource Planning software. Today, ERP is 
considered to be "the price of entry for running a business" [1], 
An ERP system is an integrated, configurable and tailorable 
information system which plans and manages all the resources 
and their use in the enterprise, streamlines and incorporates the 
business processes within and across the functional or technical 
boundaries in the organization. With ERP, an enterprise can 
automate its fundamental business applications, reduce the 
complexity and the cost of the collaboration, force the enterprise 
itself to take part in the Business Process Reengineering (BPR) 
to optimize its operations and finally result in the decreased 
operation costs and increased profits. 

This objective of this paper is to give a comprehensive 


discussion of the state of the art in ERP technology and the 
security issues for an ERP system. In particular, we discuss the 
evolution of ERP, the key components of ERP, the status with 
vendor products and also what has been done with respect to 
security. Our research as well as plans for secure ERP systems 
will also be discussed. 

The oiganization of this paper is as follows. The history and 
evolution of ERP systems will be given in section 2. ERP 
technologies and framework including the communication 
platform such as EDI, ALE and Exchange Infrastructure are 
presented in section 3. Section 3 also includes a discussion of 
the ERP architecture, some aspects of SAP and the emerging 
web services for ERP. Major ERP vendors and their products 
are discussed in section 4. Security issues for ERP systems are 
discussed in section 5. In particular, the overview of the ERP 
security using a layered approach, as well as the RBAC model 
for ERP is discussed. We will compare these security features 
with the authorization function in SAP R/3 system and the Baan 
security solution. Some trends for ERP systems as well as 
security are discussed in section 6. The paper is concluded in 
section 7. 

2. History of ERP Systems and Applications 

The history of ERP traces back to 1960s when most 
organizations were developing the centralized computing 
systems using Inventory Control Packages (IC) in order to 
automate their inventory control systems. These legacy systems 
are mostly based on the programming languages such as 
COBOL and FORTRAN. Material Requirements Planning 
(MRP) systems were developed in 1970s in order to provide the 
requirements planning of products, and Manufacturing 
Resources Planning (MRP II) in 1980s to provide the 
optimization of the manufacturing processes. ERP emerges in 
early 1990s as an enterprise-wide and across-functional 
integration of the core organizational business processes 
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to the intended components. The inbound process sill store the 
communication DDoc into the database, and a posting program 
will be triggered to read the IDoc and the document will be 
created and delivered to the application program. 

3.3 SAP Exchange Infrastructure 

With EDI and ALE technologies, distributed business processes 
within an enterprise have the ability to communicate with each 
other via one-to-one links. In a small enterprise which has a 
small number of components, one-to-one communication is the 
best way to integrate the business processes as it can be 
achieved with ease. But in cases where a laige number of 
components are involved, this will bring higher complexity and 
cost of communication and negative impact on the stability of 
the environment. In this situation, a common communication 
infostructure that allows the central management of the 
information will avoid these complications and bring more 
flexibility for expanding the business. 

SAP Exchange Infostructure [4] is the layer of SAP NetWeaver 
- SAP’s integration platform for integrating heterogeneous 
components in a system landscape. Furthermore, with SAP 
Exchange Infostructure, it is possible to create the business 
processes across the distributed systems which may be SAP or 
non-SAP systems. 

The integration using SAP Exchange Infostructure is achieved 
by exchanging the messages in open standards such as 
Extensible Markup Language (XML), and the Simple Object 
Access Protocol (SOAP). In the design stage, the specific 
integration information will be stored into the Integration 
Directory and Integration Repository and in the run time, they 
can be used for the routing and mapping. The SAP Exchange 
Infrastructure has the following components: 

• Integration Repository that stores integration knowledge 
from the design time. 

• Integration Directory that stores the knowledge that describes 
the integration-related parts of the customer landscape. 

• Integration Server which contains an Integration Engine and 
receives the exchanged messages, determines the receiver, 
performs the mapping and routes the messages to the receiver 
system. 

• Integration Monitor which monitors the exchange 
infrastructure. 

While the SAP exchange infrastructure is the cornerstone to the 
ERP architecture, there are many other components to the 


architecture. These components are discussed in the next 
section. 

3.4 ERPAjrchitecture 

There are many disadvantages in the MRP II and MRP 
technologies. In an enterprise, some of the systems may be 
developed by the enterprise itself, while others may be 
developed by different vendors using different databases, 
languages and technologies. Systems are different from each 
other which makes it unable to upgrade the organization’s 
businesses, strategy and information technologies in an 
effective way. With the communication infrastructure and the 
ERP functionalities encapsulated in components, an ERP 
system can easily meet these requirements. A typical ERP 
system should at least have the following features: 

• Componentized: different business functionalities are 
designed as different components. 

• Centralized: all the components share a centralized database 
management system. 

• Integrated: components are integrated and seamless data flow 
between components allows them to collaborate as one 
function. 

• Flexible: system is expandable and compatible with the old 
systems, the change to the business processes and strategies 
are easy to fulfill. 

• Configurable & tailorable: system should be easily 
configured according to the enterprise’s needs. 

• Real-time: the components work in real time, online and 
batch processing modes should be available. 

The business logic in ERP system employs client/server 
architecture to create a distributed computing environment. In 
the general case, the three-tier architecture will be used, which 
contains three layers of logic: 

• Presentation Layer (Front): A unified Graphical User 
Interface (GUI) or browser which collects input, generates 
requests and returns the results back to the user. 

• Application Layer (Middle): Application programs which 
collect the requests from the Presentation layer and process 
the requests based on the business rules, functions or logics. 

• Database Layer (Back): RDBMS which manages the 
operational and business data throughout the whole enterprise 
and the user access to this information. 

As the basis of the ERP system, an information exchange 
platform such as SAP NetWeaver will always be deployed 
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Oracle provides the server technologies that the ERP 
applications could utilize while SAP and Baan rely on various 
vendor products for server technologies. Note that Baan is now 
purchased by SSA. Microsoft is also becoming a player in ERP 
software. We will discuss the essential points in various 
products. 

SAP (Systems, Applications and Products in Data Processing) 
was formed in 1972 by five former IBM employees in Germany. 
It focuses on the development of application software for 
real-time business processing with its first accounting software 
developed in 1973. Its first ERP product, SAP R/2, was 
developed in late 1970s using a centralized database and dialog 
control system. In 1990s, SAP R/3 which uses the three-tier 
architecture of database, application and user interface was 
unleashed on the market. R/3 was a breakthrough which made 
SAP become the largest vendor in the ERP market by 1999. By 
2005, there were around 100,000 installations around the world, 
more than 1,500 partners, over 25 industry-specific business 
solutions, and more than 30,000 customers in over 100 
countries. SAP now owns 26% of CRM market share, 29% of 
ERP market share and 19% of SCM market share by total 
software revenue. SAP NetWeaver unifies the integration 
technologies into a single platform which lays the foundation to 
integrate all the systems which runs SAP or non-SAP software. 
It is the basis of SAP ERP applications, partner solutions and 
custom-built applications. SAP R/3 is the third generation set of 
highly integrated software which performs the core business 
functions within a company; while mySAP which also includes 
R/3 component as an important building block will be more 
intended to empower the collaboration between organizations. 
mySAP is a web-based e-business suite. 

Oracle, which was founded in 1970s in USA, is most famous 
for its well-known relational database Oracle and is the second 
largest software company in the world. In 1987, Oracle offered 
its first ERP software - Oracle General Ledger. In the following 
years, Oracle developed other ERP software such as self-service 
applications, strategic procurement solution, financial 
consolidation engine, and flow manufacturing product. Oracle’s 
ERP system is known as Oracle E-business Suite which has 
more than 50 different modules covering the following areas: 
finance, accounting, human resources, manufacturing, supply 
chain management, project and front office. Oracle also has 
many other well-reputed products in other fields such as 
database, data warehousing, and workflow. After the acquisition 


of PeopleSoft and JD Edwards in 2004, Oracle gains 
approximately 22% of the ERP market share. PeopleSoft 
Enterprise is the business application suite that offers web 
services integration with multi-vendor and homegrown 
applications; it is admittedly considered as easier to configure 
and more flexible than its competitors. 

JD Edwards: JD Edwards EnterpriseOne and JD Edwards 
World are both the business applications from J.D. Edwards 
Company that has a vast experience in supplying software for 
the IBM iSeries platform. JD Edwards World provides the 
web-enabled applications for the management of plants, 
inventories, equipments, finances and people. 

Sage, which was founded in England in 1981, entered the ERP 
market and gained a solid market share using the strategy of 
acquiring small ERP vendors such as Tetra, Interact Commerce 
Inc. By 2005, Sage has revenues of $1 .4 billion in ERP market 
and claims 6% of the market share as the third laigest ERP 
vendor. Sage Line 500 v6 is the newest version of the Sage Line 
500 product family which is the web-based integrated ERP 
solution covering core functionalities in a company. Sage 1000 
is new, single business management software which is designed 
to offer the operations within mid-size organizations. 

Microsoft, founded in 1975, is the biggest software company in 
the world with its famous Windows series products. Microsoft 
Business Solution Group (MBS) is the department which 
focuses on providing the ERP solutions, such as Microsoft 
Dynamics (formerly Microsoft Business Solutions) which is the 
integrated business management solution which includes 
financials, customer relationship management and supply chain 
management. By 2004, MBS has the revenue of around $800 
million which gives it a 4% of ERP market share. 

Others: In addition to the above vendors there are several other 
ERP vendors. In 2004, the biggest ERP vendors - SAP, Oracle, 
Sage, Microsoft and SSA accounted for around 70% of the ERP 
market share by the revenues. The other 30% is shared by other 
ERP vendors such as Geac, Intentia, Infer Global Solutions and 
Lawson. 

5. Security in ERP 
5.1 Overview 

Security is critical for ERP systems as they are being applied to 
numerous industries including defense, intelligence, medical 
and financial. First of all we need to develop a security policy 
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• Permissions: Permission is the access to one or more objects 
in the system. The permission has different meanings in 
different environment. In a database system, the permission 
refers to the rights such as select, update, delete or insert a 
record. In an accounting application, it may be the rights such 
as account creation/deletion, credit/debit and transfer. [6] 

• Roles: Arole is a namedjob function within the organization. 
A role may be hierarchical. For example, an engineer role is 
also an employee role. 

• Users: A user is a human being who may be assigned to one 
or more roles. 

• Constraints: In the system where there is only one single 
administrator, the constraints may be meaningless. If the 
administration is decentralized, which means there are 
several administrators, the constraints will be used by the 
senior administrator to restrict the junior administrator’s right 
to grant/deny the permissions. 



Fig.2 The model of role-based access control 
5.4.2 Authorization in SAP R/3 

Some of the concepts involved in the authorization in SAP R/3 

system are listed below [7]: 

• Authorization Object, which represents the authorization 
concept and consists of some authorization fields. 

• Authorization, which is an instance of one authorization 
object and defines the permitted value range of each 
authorization field of the authorization object. 

• Authorization Profile, which contains some authorizations 
which are assigned to the user by the administrator. 

• Authorization Check, which is used to protect the 
transactions or data you choose, and is embedded in the 
program logic. When the authorization check is performed, 
the authorization profile will be used to compare with the 
required values to run the specific transaction. 

• User Master Record, which enables the users to log into the 
R/3 system and grant limited access to the transactions and 
data. 


• Profile Generator, is the component that helps the 
administrators create, generate and assign authorization 
profiles using activity groups and user. 

A profile generator may have the following components: 

• Activity Group is a collection of activities such as tasks, 
reports and transactions. An activity group usually represents 
a job in the enterprise. An activity group can have many users 
assigned to it, and a user can also be assigned to many 
activity groups. An activity group can be assigned to the 
following types of users: user ID, job and position. Job 
represents the general classification of duties. Position 
represents a person’s detailed individual assignment within 
an enterprise. The difference between job and position is that 
job is just the title which does not imply what projects you 
will do in the company, while position does so. 

• Composite Activity Group is the collection of several activity 
groups. 

• User Assignment is the task that assigns one or more 
users/roles/positions to one or more activity groups or 
composite activity groups. 

Another important concept in the authorization in R/3 is 
Authorization Administration which means whether the 
creation, generation or assignment of authorization is 
centralized or decentralized (one or more administrators). 

Through these concepts, we may learn that the mechanism of 
R/3 authorization is actually an instance of Role-Based Access 
Control Model, except that it contains some elements 
specifically used in R/3 environment. Figure 4 provides a visual 
understanding of the model of authorization in R/3 system 
Furthermore, Logging and Tracing is also a required component 
to secure the application layer of ERP system, although it is not 
the key function. 





Fig. 3 The model of authorization in r/3 
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Various efforts have been reported on securing web services 
[10]. Furthermore, standards such as OASIS have developed 
security specifications including SAML (Security Assertion 
Markup Language) and XACML (XML Access Control 
Markup Language) [11]. In addition securing XML documents 
as well as securing semantic web technologies has received 
attention [12], [13]. Programs such as the Department of 
Defense Global Information Gird (GIG) have focused on 
security for service oriented architectures [14]. However little 
work has been reported on adapting the various technologies for 
securing ERP. This will be the major challenge. 

6. Trends 

Looking back at the history of ERP technology, we can find that 
the transformation from mainframe structure into the 
client/server architecture has been a major step. With this 
architecture, it became possible to develop a large system which 
integrates lots of functionalities. Today, ERP has become the 
core of the operation and business in a company. With the 
emergence of the web, ERP systems will be web-based. We can 
expect the future of ERP system to include the following 
features: 

• Heterogeneity: Heterogeneous/heterogeneity means that the 
components from different vendors coexist and cooperate in 
an ERP system. It has two prerequisites: componentization 
and integration. It is true that some of the leading ERP 
vendors are going to or have already done something in these 
two aspects. Stronger communication platforms are provided 
to support heterogeneous applications and applications are 
developed in the form of components. 

• Collaborative: This could be in the realm of e-business. We 
can classify the business processes within an enterprise into 
two types: enterprise-centric process and collaborative 
process. Processes such as accounting and payroll processing 
are enterprise-centric; while others such as supply chain 
management are almost completely collaborative. There are 
some intervenient processes, yet they are designed and 
developed in an enterprise-centric way. In the future, more of 
the processes will be redesigned in a collaborative way. This 
feature also implies that the ERP system will be more open 
and web-based. 

• Intelligent: ERP system will include more components which 
carry out analysis, investigation or even advice on strategic 
transformation. This feature implies that more confidential 
information will flow within or out of an ERP system. 


• Web-based: With the emergence of the web, it is natural that 
the functionalities or services will become web-based, which 
will make the system highly vulnerable to the security threats. 

• SOAs and Web Services: As we have stressed in this paper, 
future ERP systems will be based on SOAs. Such 
architectures provide the infrastructure to integrate and 
compose multiple web services. 

• Wireless: Access to the ERP system from a mobile device. 

Currently, to secure an ERP system, there are two methods: 
access control and logging. However there are factors that may 
prevent corporations from incorporating security into their ERP 
system. One reason is due to the cost and time. Furthermore, 
stringent security controls make the operation more complex 
and difficult to use. In a large enterprise, there will be many 
activities that may change an employee’s authorization level, 
such as promotion or reassignment. This will make the 
user-based access control difficult to implement. Logging 
systems that involve the logging of detailed activities are costly 
and may have low performance as they have to trace every 
event and log all activities. As ERP systems become web-based, 
the security issues within an open system become critical. 

Usually, the better security solutions will results in higher cost 
and lower performance. This contradiction exists in any system. 
However, ERP subsystems are used to lower the cost and 
increase the profit of an enterprise; hence the performance of the 
system will be considered as most important by the executives 
of an enterprise. While there are important factors that may 
deter security, security is crucial to protect the data and the 
processes. Therefore we need flexible security policy 
management and enforcement. There are times when security 
has to be overlooked to achieve performance, especially for 
reai-Otime applications. However, in such situations, the 
implications of violating security have to be studied at length 
and appropriate actions have to be taken. 

7. Conclusion 

This paper has provided an overview of ERP system as well as 
security for ERP systems. ERP is the technology which drives 
the reformation in the realm of economy and impacts people’s 
life styles indirectly. In the ensuing years, we expect ERP 
systems and applications to be more integrated and intelligent. 
Furthermore, such systems will be web-based, service oriented 
and even wireless. The security issues for ERP systems have 
been present for a while, but due to the closed environment with 
current ERP systems, not much research has been carried out in 
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